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Abstract 

We  consider  the  problem  of  bounded  model  checking  of  systems  expressed  in  a  decidable  fragment 
of  first-order  logic.  While  model  checking  is  not  guaranteed  to  terminate  for  an  arbitrary  system, 
it  converges  for  many  practical  examples,  including  pipelined  processors.  We  give  a  new  formal 
definition  of  convergence  that  generalizes  previously  stated  criteria.  We  also  give  a  sound  semi¬ 
decision  procedure  to  check  this  criterion  based  on  a  translation  to  quantified  separation  logic. 
Preliminary  results  on  simple  pipeline  processor  models  are  presented. 
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1  Introduction 


Systems  with  parameters  of  finite  but  arbitrary  or  large  size  are  often  modeled  as  infinite-state 
systems.  Such  systems  include  superscalar  processors,  communication  protocols  with  unbounded 
channels,  and  networks  of  an  arbitrary  number  of  identical  processes.  While  state  elements  can 
still  be  of  Boolean  type,  richer  data  types  such  as  unbounded  integers  or  unbounded  arrays  of 
integers  are  also  used.  Employing  this  richer  expressive  power  is  one  approach  to  tackling  the  state 
explosion  problem. 

In  the  area  of  hardware  verification,  the  logic  of  Equality  with  Uninterpreted  Functions  and  Mem¬ 
ories  (EUFM)  has  been  successfully  used  for  the  automated  verification  of  pipelined  processor 
designs  [7,  3] .  The  more  general  logic  of  Counter  Arithmetic  with  Lambda  Expressions  and  Unin¬ 
terpreted  Functions  [4]  (CLU)  has  been  used  for  bounded  model  checking  and  inductive  invariant 
checking  of  out-of-order  microprocessors  with  unbounded  resources  [14].  Bounded  model  checking 
proceeds  by  symbolically  simulating  the  system  for  a  finite  number  of  steps  starting  from  an  ini¬ 
tial  state,  checking  on  each  step  that  a  state  property  holds.  As  the  state  elements  can  be  terms 
in  a  first-order  logic,  we  will  refer  to  this  technique  as  term-level  bounded  model  checking.  Since 
term- level  models  can  express  Turing  machines  [12],  the  symbolic  simulation  might  never  reach  a 
fixpoint  in  general.  However,  in  many  practical  cases,  the  simulation  does  converge.  It  is  therefore 
necessary  to  check,  after  each  simulation  step,  whether  the  simulation  has  converged.  Term-level 
bounded  model  checking  is  also  useful  in  combination  with  other  techniques  such  as  Burch-Dill 
style  verification  [7],  since  it  provides  a  way  to  compute  the  most  general  reachable  state  in  which 
to  initialize  the  system  when  using  those  techniques. 

In  this  paper,  we  make  two  main  contributions.  First,  we  give  a  new  formal  definition  of  conver¬ 
gence  for  term-level  bounded  model  checking,  where  CLU  logic  is  used  as  the  modeling  formalism. 
The  convergence  criterion  is  formulated  as  a  quantified  second-order  formula  with  one  quantifier 
alternation,  and  is  un decidable  in  general.  Second,  we  give  two  semi-decision  procedures  for  this 
class  of  second-order  formulas,  the  first  being  sound  and  the  second  being  complete.  Our  procedures 
are  based  on  a  translation  to  a  decidable  fragment  of  first-order  logic  called  quantified  separation 
logic  (QSL).  QSL  formulas  are  quantified  Boolean  combinations  of  Boolean  variables  and  predicates 
of  the  form  X{  <  Xj  +  c  or  x,  =  Xj  +  c,  where  xt  and  Xj  are  real  or  integer  variables,  and  c  is  a 
constant.  The  QSL  formulas  are  then  decided  by  a  translation  to  quantified  Boolean  logic  [16]. 
Although  we  use  the  semi-decision  procedures  for  convergence  checking,  our  results  are  also  more 
generally  applicable  to  automated  theorem  proving  of  second-order  formulas. 

Previous  term-level  model  checkers  vary  in  expressiveness  of  the  underlying  logic,  and  either  use 
syntactic  convergence  criteria  or  approximation  techniques  that  guarantee  convergence  at  the  cost 
of  completeness.  Hojati  et  al.  [12]  presented  a  modeling  formalism  called  ICS  which  is  similar 
in  expressiveness  to  EUFM.  They  showed  that  ICS  models  do  not  converge  in  general,  except 
under  highly  restrictive  assumptions  that  are  not  of  practical  interest.  Isles  et  al.  [13]  built  on 
this  work,  giving  a  conservative,  syntactic  definition  of  convergence  of  ICS  models,  and  using  it  to 
verify  versions  of  the  DLX  pipeline.  Our  logic  is  more  expressive  than  ICS.  Also,  as  we  show  in 
Section  5.2,  their  convergence  criterion  is  a  special  case  of  the  one  we  present  in  this  paper.  Corella 
et  al.  [8]  have  used  Multiway  Decision  Graphs  (MDGs)  for  term-level  model  checking.  MDGs  are 
BDD-like  data  structures  used  for  representing  formulas  in  quantifier-free  logics  such  as  EUFM  and 
CLU;  the  exact  logic  represented  depends  on  the  set  of  interpreted  function  symbols  used  in  the 
model.  Thus,  Corella  et  al.  use  MDGs  to  represent  the  characteristic  function  of  the  set  of  states  of 
a  term-level  model.  Unlike  our  work,  their  models  cannot  have  variables  of  function  type,  and  hence 
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cannot  verify  systems  with  embedded  memories.  However,  they  address  a  more  general  class  of 
properties  expressible  in  a  first  order  temporal  logic.  With  respect  to  convergence  checking,  Corella 
et  al.  use  syntactic  rewriting  techniques  similar  to  those  employed  for  ICS  [13].  Bultan  et  al.  [5] 
have  used  Presburger  arithmetic  for  verifying  concurrent  algorithms.  Checking  convergence  for 
systems  expressed  in  Presburger  arithmetic  is  decidable;  however,  since  the  model  checking  might 
not  converge  in  general,  they  conservatively  approximate  the  fixpoint,  allowing  the  possibility  of 
spurious  counterexamples.  In  comparison,  our  use  of  CLU  logic  allows  us  to  use  uninterpreted 
functions  and  also  lets  us  model  richer  systems  with  memories.  This  expressive  power,  however, 
results  in  convergence  checking  becoming  undecidable. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2  presents  CLU  logic  and  our  system  modeling 
formalism.  Section  3  defines  the  term-level  bounded  model  checking  problem.  In  Section  4,  we 
formally  define  the  convergence  criterion.  Section  5  describes  how  we  check  this  criterion.  Finally, 
we  conclude  in  Section  6  with  some  preliminary  results  with  pipelined  processor  models.  Detailed 
proofs  of  the  theorems  can  be  found  in  the  appendix. 


2  Preliminaries 


2.1  CLU  Logic 


Syntax.  The  syntax  includes  four  classes  of  expressions,  representing  computations  of  truth  values 
or  integers,  as  well  as  functions  over  integers  yielding  truth  values  or  integers.  We  use  symbols  to 


bool-expr 


int-expr 

predicate- expr 
function- expr 


true  |  false  |  bool-symbol  |  -< bool-expr  \  (bool-expr  A  bool-expr) 

|  (int- expr  =  int-expr)  \  (int- expr <  int-expr) 

|  predicate- expr(int- expr, . . .  ,  int-expr) 

lambda-var  \  int-symbol  \  ITE(bool-expr,  int-expr,  int-expr) 

|  int-expr  +  int-constant  \  function- expr(int- expr, . . .  ,  int-expr) 
predicate- symbol  \  A  lambda-var, . . .  ,  lambda-var  .  bool-expr 
function- symbol  \  A  lambda-var, . . .  ,  lambda-var  .  int-expr 


Figure  1:  Expression  Syntax.  Expressions  can  denote  computations  of  Boolean  values,  integers, 
or  functions  yielding  Boolean  values  or  integers. 

represent  abstract  values  and  functions.  Symbols  are  written  with  a  typewriter  font,  such  as  a  or 
f .  Associated  with  each  symbol  is  a  type  indicating  what  kind  of  value  it  represents  (truth,  integer, 
function,  or  predicate).  For  function  and  predicate  symbols,  the  type  includes  its  arity  indicating 
the  number  of  arguments  it  takes.  For  function  symbol  f ,  we  write  its  arity  as  arity  (f).  For  a  set  of 
symbols  A,  we  let  E(A)  denote  the  set  of  all  expressions  that  can  be  formed  using  these  symbols, 
obeying  the  usual  rules  on  type  matching. 

The  syntax  includes  integer  lambda  variables.  These  only  serve  to  represent  the  arguments  to 
lambda  expressions.  Note  also  that  the  lambda  expression  syntax  is  constrained  so  that  they 
cannot  have  functions  as  arguments,  and  they  cannot  express  any  form  of  looping  or  recursion. 

Sets  of  Expressions.  We  use  two  ways  to  refer  to  sets  of  expressions  in  which  we  must  identify 
the  different  elements.  The  first  is  a  vector  notation,  in  which  we  index  the  elements  with  integer 
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subscripts.  We  use  the  notation  eX  to  denote  a  vector  with  elements  e\, . . .  ,en.  The  second  is  a 
named- element  notation,  in  which  we  have  a  set  of  symbolic  names  A  and  write  a  set  of  expressions 
e  as  having  an  element  ea  for  each  a£d. 

With  both  notations,  we  can  indicate  the  syntactic  substitution  of  elements  for  symbols  or  variables 
in  an  expression.  That  is,  the  expression  s  [eX/xX]  denotes  the  expression  where  each  instance  of  x'j 
in  s  is  replaced  by  the  expression  e*  for  1  <  i  <  n.  These  substitutions  are  performed  in  parallel, 
so  there  is  no  ambiguity  of  some  expression  e*  contains  the  symbol  xj.  Similarly,  s  [e/A]  indicates 
the  result  of  replacing  each  instance  of  a  symbol  a  &  A  with  the  expression  ea. 

Semantics.  For  a  set  of  symbols  A,  we  let  <r_4  indicate  an  interpretation  of  each  of  these  symbols. 
That  is,  <7 4  maps  each  symbol  to  an  integer,  a  truth  value,  or  a  function  according  to  the  symbol 
type.  For  any  expression  e  €  E(A),  we  define  its  evaluation  under  interpretation  a  a,  denoted  ( e) 
as  the  value  obtained  by  evaluating  e  when  each  symbol  a  is  replaced  by  its  interpretation  <r_4(a). 
We  omit  the  detailed  definition. 

A  truth  expression  e  €  E(A)  is  said  to  be  universally  valid  when  it  evaluates  to  true  for  all 
interpretations  of  its  symbols,  i.e.,  when  (e)  =  true  for  all  4. 

As  a  final  notation,  for  disjoint  symbol  sets  A  and  B,  each  having  interpretations  cr_4  and  erg,  we 
let  oa  •  erg  denote  the  interpretation  over  the  symbols  in  A  U  B  obtained  by  applying  the  respective 
interpretations  to  the  symbols  in  A  and  B. 

As  noted  earlier,  our  syntax  for  function  applications  requires  all  arguments  to  be  integer  expres¬ 
sions.  We  can  therefore  transform  any  integer  or  truth  expression  containing  lambda  expressions 
into  an  equivalent  lambda-free  one  by  performing  Beta  reduction,  in  which  the  actual  parameter 
expressions  are  syntactically  substituted  in  parallel  with  the  actual  parameter  expressions. 

2.2  System  Model 

We  model  the  system  as  having  a  number  of  state  elements,  where  each  state  element  may  be  a 
truth  or  integer  value,  or  a  function  or  predicate.  This  latter  class  of  state  elements  allows  us 
to  describe  various  forms  of  memories.  For  example,  a  conventional  random-access  memory  can 
be  modeled  as  a  function  that  yields  an  integer  data  value  given  an  integer  address  as  argument. 
We  use  symbolic  names  to  represent  the  different  state  elements  giving  the  set  of  state  symbols  S. 
We  also  introduce  a  set  of  input  symbols  T ,  representing  a  set  of  input  signals  that  can  be  set  to 
different  values  on  each  step  of  operation.  That  is,  on  each  step  i,  we  introduce  a  symbol  a,-  for 
each  input  symbol  a.  We  refer  to  such  signals  as  the  indexed  input  symbols.  We  introduce  two 
more  sets  of  symbols  K,  and  T  to  allow  one  run  by  the  verifier  to  compute  the  behavior  of  systems 
with  different  functionality  operating  with  different  initial  state  and  input  values.  The  symbols 
in  K,  parameterize  system  functionality.  This  could  include,  for  example,  function  symbols  for  the 
ALU,  and  the  contents  of  the  instruction  memory.  The  symbols  in  X  parameterize  the  initial  state 
and  system  input  sequence.  These  could  include  a  function  symbol  to  encode  the  initial  state  of  a 
memory.  They  also  include  the  indexed  input  symbols. 

The  overall  system  operation  is  characterized  by  an  initial  state  s°  and  a  transition  behavior  5.  The 
initial  state  contains  an  expression  for  each  state  element.  The  initial  value  of  state  element  a  is 
given  by  an  expression  G  E(Z).  The  transition  behavior  consists  of  an  expression  for  each  state 
element.  The  behavior  for  state  element  a  is  given  by  an  expression  <Ja  £  E(JC  U  S  U  T).  In  this 
expression,  we  use  the  state  element  symbols  to  represent  the  current  system  state,  and  the  input 
symbols  to  represent  the  current  values  of  the  inputs.  The  expression  then  gives  the  new  state  for 
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that  state  element. 


From  these  expressions,  we  define  the  state  sequence  for  the  system  s°, . . .  , .si, . . . ,  where  the  state 
at  step  i  consists  of  an  expression  for  each  state  element  4  6  E{JC  U Z).  This  expression  is  given 
by  performing  the  double  substitution 

4  =  4[^V5,f/r],  (i) 

where  the  input  expression  tl  has  =  a,;  for  each  a  G  T.  As  mentioned  earlier,  we  always  perform 
Beta  reduction  following  a  substitution  such  as  this.  We  use  the  shorthand  si  =  to 

indicate  this  process  of  generating  the  expressions  for  the  state  at  step  i. 


3  Property  Checking 


A  system  property  P  is  represented  as  a  Boolean  expression  over  the  state  elements  P  e  E{S). 
Typically  we  want  to  determine  whether  P  holds  at  some  particular  step  k,  or  whether  P  holds  at 
every  step.  We  can  determine  whether  P  holds  at  some  particular  step  k  by  applying  a  decision 
procedure  for  CLU  logic.  However,  our  interest  here  is  to  prove  that  P  holds  for  every  step  i  >  0. 
In  general,  this  task  is  undecidable.  The  problem  remains  undecidable  even  if  we  restrict  the  class 
of  systems  to  ones  with  only  integer  state  elements,  and  where  the  system  behavior  is  described 
using  a  logic  of  equality  with  uninterpreted  functions  [12]. 

Instead,  we  focus  on  a  more  restricted  class  of  systems  that  satisfy  a  property  we  call  k- convergence. 
With  these  systems,  every  reachable  state  can  be  reached  within  k  steps  for  some  combination  of 
initial  state  and  inputs,  for  some  fixed  bound  k.  If  we  can  prove  that  a  system  is  ^-convergent, 
then  we  can  guarantee  property  P  holds  on  every  step  by  verifying  that  it  holds  on  every  step  up 
through  sk. 

Formally,  we  say  that  a  system  with  initial  state  s°  and  transition  behavior  S  converges  in  k  steps, 
when  for  every  interpretation  ax  of  the  initial  state  and  inputs  and  for  every  interpretation  a/c  of 
the  system  parameters,  there  exists  a  step  i  <  k  and  an  alternate  interpretation  6x  of  the  initial 
state  and  inputs,  such  that  for  every  state  symbol  a  e  S 


dx-atc 


(2) 


We  use  the  shorthand  {sl)gxa^  =  {sk+1)ax  CT  to  indicate  this  equality  for  every  state  element. 
Property  (2)  states  that  by  step  k  +  1,  the  system  will  not  reach  any  new  states.  That  is,  for  every 
possible  interpretation  of  the  system  parameters  Ojc  ,  and  for  every  possible  operation  of  the  system 
for  k  +  1  steps,  as  determined  by  the  interpretation  ax  of  the  initial  state  and  indexed  input  symbols 
X,  there  is  some  alternate  initial  state  and  input  sequence,  given  by  interpretation  Ox  that  would 
have  led  to  the  exact  state  in  i  steps  for  some  0  <  i  <  k. 

We  show  that  this  property  guarantees  that  the  system  will  not  reach  new  states  beyond  step  k. 


Theorem  1  If  a  system  converges  in  k  steps,  then  for  any  j  >  0  and  any  interpretation  a/c  of  the 
system  parameters,  there  exists  a  step  i  <  k  and  an  alternate  interpretation  Ox  of  the  initial  state 
and  inputs,  such  that 


(**) 


dx-cr/c 


(s>) 


CT-VIC  ‘ 


(3) 
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Before  we  prove  Theorem  1,  we  highlight  a  key  property  of  our  system  model. 


Proposition  1  For  any  interpretations  ax  and  ajc  and  any  step  i 


[*i+1) 


CT-&K, 


=  6 


aj  • 


ok 


(4) 


By  way  of  explanation,  (4)  combines  a  basic  property  of  symbolic  simulation  with  some  specific 
characteristics  of  our  model.  On  the  right  hand  side,  we  evaluate  state  sl  under  an  interpretation 
of  symbols  in  K,  U  X,  yielding  an  integer  or  Boolean  value,  or  an  integer  or  Boolean  function  for 
each  state  element.  Similarly,  we  evaluate  the  indexed  inputs  at  step  i  +  1,  but  these  depend 
only  on  the  interpretation  of  symbols  in  I.  Now  we  substitute  these  values  for  the  state  element 
symbols  and  input  symbols  in  the  expressions  for  the  transition  behavior  5.  Finally,  we  apply  an 
interpretation  to  each  system  parameter  symbol  in  1C  and  evaluate  the  results,  giving  a  new  value 
for  each  state  element.  The  left  hand  side  gives  a  value  for  each  state  element  by  applying  the 
same  interpretations  to  the  expressions  reached  after  i  +  1  steps  of  symbolic  simulation.  Our  claim 
is  that  either  route  leads  to  the  same  values. 


The  proposition  follows  from  the  definition  of  s*+1,  the  property  that  the  transition  behavior  is 
independent  of  the  values  assigned  to  the  symbols  X,  since  these  only  encode  the  initial  state 
and  the  input  values,  and  the  values  of  inputs  tl+l  are  independent  of  the  values  of  the  system 
parameterization  symbols. 

We  now  prove  Theorem  1. 


Proof:  The  proof  proceeds  by  induction  on  j.  For  j  <  k,  the  condition  holds  trivially  by  letting 


i  =  j.  Let  us  assume  it  holds  for  j.  That  is,  there  is  some  i'  <  k  such  that  =  (sJ) 


'  ci-CT/c 


We  first  show  that  state  s-7-1-1  must  be  equivalent  to  the  state  at  step  i'  +  1  under  an  alternate 
interpretation  of  the  initial  state  and  indexed  input  symbols.  First,  we  apply  (4)  and  (3)  to  expand 
state  sj+1  and  apply  the  induction  hypothesis,  giving 


(s^+1) 


ax-cr/c 


=  (S  W/SP+'/T})^ 


Now  let  us  define  an  interpretation  Of  that  is  identical  to  Ox,  except  that  for  each  symbol 
representing  the  value  of  input  a  at  step  i’  +  1,  let  #j(a,/+i)  =  0j(aj+i).  State  expression  s*  does 
not  have  any  indexed  input  symbols  with  step  index  i'  +  1,  and  hence  it  will  evaluate  to  the  same 
set  of  values  under  interpretations  Ox  and  Of.  We  can  therefore  continue  the  derivation  as  follows: 
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For  i!  <  k,  we  can  let  i  =  i'  +  1  <  k  be  the  earlier  step  and  6'x  be  the  alternate  interpretation  to 
prove  the  induction  hypothesis. 

For  i!  =  k,  we  have  shown  that  ('s",+1)0-:r  =  isk+1)g'  aK  •  Applying  the  convergence  criterion, 
there  must  be  some  step  i  <  k  and  some  alternate  interpretation  ijj  such  that  ^  = 

(sk+1)g,  =  (sl)Vx.afCi  to  show  that  the  state  at  step  j  + 1  is  identical  to  the  state  at  step  i  under 

alternate  interpretation  rjj. 

Note  how  this  proof  relied  on  the  structure  of  our  model.  We  encode  variations  in  the  system 
behavior  and  operation  symbolically.  On  each  step,  the  inputs  can  change  arbitrarily  (since  we 
introduce  a  new  set  of  symbols  on  each  step),  but  the  system  behavior  remains  fixed  (since  it  is 
parameterized  by  the  fixed  set  of  symbols  tC). 


4  Formulation  of  the  Convergence  Criterion 


We  now  reach  the  main  topic  of  this  paper:  determining  whether  a  system  is  ^-convergent  for  some 
value  of  k.  We  can  express  this  as  a  problem  in  second-order  logic  as  follows.  Introduce  a  symbol 
set  J  consisting  of  a  symbol  a!  for  each  initial  state  symbol  a  £  I,  and  a  symbol  a)  G  X  for  each 
indexed  input  signal  a*,  for  1  <  i  <  k.  Rewrite  each  state  expression  sl,  for  0  <  i  <  k  to  an 
expression  rl,  by  replacing  each  symbol  in  X  with  its  counterpart  in  J . 

Using  the  notation  of  predicate  calculus,  we  consider  the  symbols  in  X,  J ',  and  /C  to  be  quanti¬ 
fied  variables,  either  first-order  (for  integer  or  Boolean  symbols)  or  second-order  (for  function  or 
predicate  symbols).  We  can  then  write  the  convergence  criterion  as: 


V/C  VX  3J 


V  A  ra  =  *a+1 

0<i<k  aE<S 


(5) 


With  these  quantifiers,  we  are  really  quantifying  over  the  possible  interpretations  of  the  symbols. 
Note  that  this  formula  cannot  be  expressed  in  first-order  logic,  because  we  have  existentially  quan¬ 
tified  function  symbols. 

Example  1:  Consider  a  system  with  the  integer  state  variables  x,  y  and  Boolean  state  variable 
b.  The  operations  are  defined  by: 


init[x]  =  Co  init[y]  =  Co  init[b]  =  true 

nextfx]  =  f(x)  nextfy]  =  f(y)  nextfb]  =  (x  =  y) 

where  Co  is  an  integer  symbol  and  f  is  an  uninterpreted  function  symbol.  Using  our  notation,  the 
sets  of  symbols  are  defined  as  follows  —  S  =  {x,y,b},  fC  =  {f},  X  =  {c0}  and  J  =  {cq}. 

After  simulating  the  system  for  one  step,  the  convergence  condition  (given  by  equation  5,  where 
k  =  0)  becomes: 

Vf  Vc0  3cq  [cq  =  f(c0)  A  Cq  =  f  (c0)  A  true  =  (f(c0)  =  f  (c0))] 

which  simplifies  to  Vf  Vco  3cq  [c(,  =  f(co)],  which  is  clearly  valid,  with  Cq  taking  the  value  f(co). 

Therefore  the  system  converges  after  one  step  of  simulation.  As  expected,  the  state  variable  b  is 
always  true  in  the  reachable  set  of  states. 
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For  a  function  or  predicate  state  element  F,  the  expression  r \  =  Sp+1  is  a  second- order  equation — it 
states  that  two  functions  or  predicates  are  identical  for  all  possible  arguments. 

For  systems  without  function  or  predicate  state  elements,  our  convergence  criterion  yields  a  formula 
with  the  quantification  structure  shown  in  (5),  with  only  first-order  equations.  Even  for  the  simple 
case  of  a  system  with  one  integer  symbol  in  X,  one  function  symbol  of  arity  2  in  1C,  deciding  the 
truth  of  a  formula  with  this  structure  is  un decidable  [2]. 

Again  we  find  ourselves  facing  an  undecidable  property.  We  deal  with  this  by  1)  using  syntactic 
transformations  to  eliminate  the  second-order  equations  for  function  and  predicate  state  elements, 
and  2)  using  a  sound,  but  incomplete  decision  procedure  for  second-order  formulas  of  the  form 
shown  in  (5).  Our  procedure  is  quite  simple,  but  it  seems  to  work  well  for  the  formulas  arising  in 
our  convergence  testing. 


5  Checking  Convergence 

5.1  Function  and  Predicate  State  Elements 

We  can  convert  our  convergence  formula  (5)  to  one  containing  only  first-order  equations  by  in¬ 
troducing  a  set  of  argument  symbols  Z  =  zi, . . .  ,zn,  where  n  is  the  maximum  arity  of  any  pred¬ 
icate  or  function  state  element.  Suppose  state  element  F  has  arity  arity ( F)  =  m.  Then  define 
?~p  =  7p(zi,...  ,zm),  and  similarly  define  Sp  =  Sp(zi,...  , zm).  Then  we  can  rewrite  the  conver¬ 
gence  criterion  as: 


V/C  VX  3J  VZ 


V  = 

0<i<k  a E<S 


(6) 


Unfortunately,  we  have  no  general  approach  to  handle  formulas  with  this  quantifier  structure. 
Instead,  we  use  rewriting  techniques  to  handle  limited  forms  of  function  and  predicate  state  ele¬ 
ments.  Our  technique  is  sufficient  to  handle  random-access  memories,  including  the  data  memory 
and  register  file  of  a  microprocessor. 

A  random-access  memory  is  modeled  as  a  function  state  element  Mem  where  the  argument  is  an 
address,  and  the  function  returns  the  value  stored  at  that  address.  Consider  a  memory  with  address 
input  Adr,  data  input  Dat  and  write-enable  signal  Wrt.  We  describe  the  memory  operation  in  our 
term- level  modeling  language  as: 


init[Mem]  =  m0 

next[Mem]  =  Xx  .  /TF(Wrt  A  x  =  Adr,  Dat,  Mem(x)) 


where  mo  is  an  uninterpreted  function  giving  the  initial  memory  contents.  Note  the  restricted  class 
of  expressions  that  will  result  when  modeling  the  operation  of  this  memory  over  time  to  generate  the 
expression  f\em.  At  the  base  is  an  uninterpreted  function,  which  can  be  assigned  an  interpretation 
that  matches  any  desired  functionality.  There  will  then  be  a  bounded  number  of  updates  due  to 
write  operations,  but  these  will  each  be  to  a  single  (symbolic)  address. 
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Suppose  we  wish  to  determine  whether  the  system  has  converged  for  some  fixed  time  point  i.  so 
that  Equation  6  reduces  to 


V/C  VJ  3J  MZ 


Lae*s 


Then  the  convergence  criterion  for  state  element  Mem  will  have  the  general  form: 


\/A  3B  Vz  F\ z)  =  F{ z) 


(7) 

(8) 


where  expression  F  has  only  symbols  in  A,  while  expression  F'  has  symbols  from  both  B  and  A. 


We  apply  a  set  of  rewrites  to  the  symbols  in  B  and  generate  a  set  of  verification  conditions  that 
guarantees  (8)  holds,  based  on  the  structure  of  expression  F' .  In  general,  our  rules  apply  to 
equations  of  the  form  P(z)  =>■  F'( z)  =  F( z),  where  P  is  a  predicate  expression  with  symbols 
from  both  B  and  A.  At  the  top  level,  we  start  with  P  being  an  expression  that  always  yields  true. 


1.  For  equations  of  the  form  P(z)  =>  f7(z)  =  F( z),  where  f'  is  a  function  symbol  in  B,  rewrite 
all  occurrences  of  f'  in  P  to  be  Ax  .  ITE(P(x ),  F(x),  f'(x)). 

2.  For  equations  of  the  form  P(z)  A  z  =  E  =>■  F'( z)  =  F( z),  where  E  is  an  expression 
with  symbols  from  both  B  and  A,  reduce  the  equation  to  P(E)  =>■  F'(E )  =  F(E).  This 
eliminates  any  reference  to  z  in  the  equation. 

3.  For  equations  of  the  form  P(z)  =>■  [Ax  .  ITE(Q(x),  G'(x ),  H\x ))]  (z)  =  F( z),  where  Q, 
G’ ,  and  H '  are  predicate  and  function  expressions  containing  symbols  in  both  A  and  B,  we 
generate  two  verification  conditions:  P( z)  AQ(z)  =>  G'(z )  =  F( z),  and  P(z)  A-iQ(z)  =>■ 
H'[z)  =  F( z),  and  solve  these  recursively. 

4.  For  equations  of  the  form  P( z)  =>■  f(z)  =  F( z),  where  f  is  a  function  symbol  in  A,  we 
recursively  analyze  the  structure  of  F. 

•  If  F  is  of  the  form  ITE(Q(x ),  G(x),  H(x)),  where  Q,  G,  and  F[  are  predicate  and 
function  expressions  containing  symbols  in  A,  we  generate  two  verification  conditions: 
P( z)  A  Q(z)  =>  f  (z)  =  G( z),  and  P( z)  A  ~'(5(z)  =>•  f  (z)  =  H( z),  and  solve  these 
recursively. 

•  If  F  is  of  the  form  g(z),  then  the  symbols  f  and  g  need  to  be  the  same.  If  the  two 
symbols  are  different,  we  return  false  which  implies  that  no  rewrite  exists. 

5.  For  equations  of  the  form  P(z)  =^>  F'{ z  +  c)  =  F(z)  with  integer  constant  c,  transform  the 
equation  to  be  P(z  —  c)  =>•  F’{z)  =  F(z  —  c),  and  solve  it  recursively. 

Similar  rules  hold  for  equations  of  the  form  P  =>  F'( z)  =  F( z),  i.e.,  P  is  a  Boolean  expression 
independent  of  z. 

Given  the  special  form  of  the  expressions  describing  the  updating  of  a  random-access  memory,  we 
can  see  that  by  repeated  application  of  these  rules,  we  can  eliminate  all  occurrences  of  symbol  z  in 
(7).  The  first  rule  handles  the  uninterpreted  function  representing  the  initial  memory  state.  The 
second  rule  handles  updates  to  individual  memory  addresses.  The  third  rule  lets  us  split  based 
on  the  case  structure  of  the  expression.  The  last  two  rules  would  be  required  for  more  complex 
memory  structures. 

Note  that  CLU  logic  can  be  used  to  model  memories  in  which  multiple  entries  can  be  updated  in 
parallel  [14].  The  rewriting  techniques  proposed  in  this  section  do  not  work  for  such  memories. 


5.2  Convergence  with  First-Order  Equations 

Assume  we  have  applied  transformation  rules  to  eliminate  all  second-order  equations,  and  hence 
the  convergence  criterion  is  expressed  by  an  equation  of  the  form  shown  in  (5)  with  only  first-order 
equations.  We  would  therefore  like  to  decide  the  validity  of  a  formula  if  of  the  form 

if  =  VA3B(f  (9) 

where  (f  does  not  contain  any  quantifiers.  In  fact,  cf  is  a  CLU  formula,  and  we  can  assume  that 
transformations  have  been  applied  to  eliminate  all  ITE  operations1  and  lambda  applications. 

Our  system  model  is  sufficiently  general  that  we  can  generate  any  second-order  formula  having 
the  structure  shown  in  (9)  as  part  of  a  convergence  test.  To  see  this,  let  the  variables  in  cf  be 
A  =  and  B  =  brn.  Introduce  a  set  of  m  +  1  state  elements,  consisting  of  an  element  q.;  for 
each  existentially  quantified  variable  6*  £  B,  and  a  final  truth- valued  state  element  qm+i-  For 
each  universally  quantified  variable  a*  £  A,  introduce  a  system  parameter  a*.  Let  the  system  have 
transition  behavior  5  such  that  <5q„+1  =  (f  [q m/bm,  aT/fln] ,  and  <5qi  =  q*  for  1  <  i  <  m.  Finally,  let 
the  initial  state  sq.  of  each  state  element  q;  for  1  <  i  <  m  be  a*,  and  the  initial  state  of  qm,+i  be 
true.  Then  the  system  is  O-convergent  if  and  only  if  the  formula  VA  3B  (f  is  valid. 

This  construction  shows  that  we  cannot  assume  any  particular  restrictions  on  the  formulas  we  must 
decide  to  prove  convergence,  other  than  the  quantifier  structure  shown  in  (9). 

5.2.1  Syntactic  Approach. 

Previous  approaches  to  convergence  have  been  based  on  finding  syntactic  similarities  between  the 
earlier  state  r*  and  the  current  state  sk+1.  The  convergence  criterion  given  by  Isles  et  al.  [13]  is  a 
more  conservative  check  than  the  criterion  we  give  in  Equation  6,  and  hence  is  less  general.  We  can 
see  that  their  syntactic  substitution-based  technique  is  simply  a  strategy  for  proving  the  validity 
of  a  formula  with  the  structure  shown  in  (9)  as  follows. 

Proposition  2  Let  b  denote  a  set  containing  an  expression  ba  £  E(A)  for  each  a  £  B.  //VA  <f  [ b/B \ 
is  valid,  then  so  is  VA  3B  <f. 

The  proof  of  this  proposition  follows  by  instantiating  any  symbol  a  £  B  with  the  value  (6a)  . 

With  this  approach,  we  can  prove  convergence  by  using  a  decision  procedure  for  CLU  logic  to 
prove  the  universal  validity  of  <f>[b/B\.  The  challenge,  of  course,  is  to  find  an  appropriate  set  of 
substitutions  to  the  symbols  in  B. 

5.2.2  Semantic  Approach. 

We  describe  two  ways  to  transform  formulas  of  the  structure  if  =  VA  3B  <f  into  a  formula  in  the 
logic  we  call  Quantified  Separation  Logic  (QSL).  QSL  consists  of  quantified  Boolean  and  integer 
variables,  Boolean  connectives,  and  predicates  of  the  form  x  =  y  +  c  and  x<y  +  c,  where  x  and  y 
are  integer  variables,  and  c  is  an  integer  constant.  Our  first  translation  Ts(if)  (for  “sound”)  yields 
a  formula  that  is  valid  only  if  if  is  valid.  Our  second  translation  Tc(if )  (for  “complete”)  yields  a 

1These  can  be  eliminated  by  the  “push  to  the  leaves”  transformation  [17]. 
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formula  that  is  valid  if  if  is  valid.  The  two  formulas  are  very  similar  to  each  other.  They  differ  in 
the  ordering  of  quantifiers  and  an  additional  set  of  clauses  in  the  antecedent  of  the  second  formula. 
By  deciding  the  validity  of  the  first  translation  we  can  test  for  definite  convergence,  while  we  can 
test  for  possible  convergence  by  deciding  the  validity  of  the  second  translation. 


bool- atom 

int-atom 

bool-expr 


bool-symbol 

|  predicate- symbol(int- atom  +  int-constant, . . .  ,  int-atom  +  int-constant ) 
int-symbol 

|  function- symbol(int- atom  +  int-constant , . . .  ,  int-atom  +  int-constant) 
bool-atom  |  true  |  false 
|  ^bool-expr  \  (bool-expr  A  bool-expr) 

|  (int- atom  =  int-atom  +  int-constant) 

|  (int-atom <  int-atom  +  int-constant) 


Figure  2:  Normal  Form  Syntax.  Any  integer  or  Boolean  expression  in  CLU  can  be  rewritten 
into  this  form. 

1.  Preserving  Soundness.  As  shown  in  Figure  2,  we  can  rewrite  any  Boolean  or  integer  ex¬ 
pression  in  CLU  into  a  normal  form,  in  which  all  ITE  operations  have  been  eliminated,  and  the 
additions  of  integer  constants  are  grouped  together.  Define  an  atomic  expression  as  either  an  in¬ 
teger  expression  following  the  rules  for  syntactic  type  int-atom  shown  in  the  figure,  or  a  Boolean 
expression  following  the  rules  for  syntactic  type  bool-atom.  We  can  see  that  an  arbitrary  Boolean 
expression  consists  of  Boolean  atoms,  equality  and  ordering  predicates  applied  to  integer  atoms 
(possibly  with  a  constant  offset),  and  Boolean  connectives. 

Without  loss  of  generality,  let  us  assume  <f  is  in  normal  form.  We  start  by  enumerating  all  of  the 
atomic  expressions  occurring  in  <p  as  a  sequence  g i, . . .  ,  gn.  Let  top(gf)  denote  the  top-level  symbol 
in  subexpression  gi.  We  can  see  that  each  atomic  expression  gi  must  be  of  one  of  the  following 
forms: 

1.  Boolean  symbol,  gi  =  b,  giving  top(gi)  =  b. 

2.  Predicate  application,  gi  =  p (gh  +  ci;i, ...  ,gik  +  cijk),  giving  t.op(gi)  =  p. 

3.  Integer  symbol,  gi  =  x,  giving  t.op(gi)  =  x. 

4.  Function  application.  g%  =  f(gil  +  c^i, ...  ,gik  +  ci)k),  giving  top(gf)  =  f . 

We  require  the  sequence  to  be  ordered  according  to  subexpression  containment.  That  is,  for  the 
function  and  predicate  application  forms  listed  above,  we  require  ii  <  i  for  1  <  l  <  k.  The 
soundness  property  of  translation  Ts  holds  for  any  such  ordering,  but  we  get  a  tighter  bound  by 
listing  the  subexpressions  having  top-level  symbols  in  A  as  early  as  possible.  That  is,  if  top(gi)  £  A 
and  top(gj)  £  B ,  then  i  <  j,  unless  gj  is  a  subexpression  of  gi. 

Now  introduce  a  sequence  of  symbols  =  vi, . . .  ,  vra,  where  Vj  is  an  integer  (respectively,  Boolean) 
symbol  when  top(gi)  is  an  integer  or  function  symbol  (respectively.,  Boolean  or  predicate  symbol). 
We  generate  two  formulas  C \  and  Cg,  each  of  which  is  a  conjunction  of  consistency  constraints  by 
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considering  each  pair  of  subexpressions  gi  and  gj,  with  i  <  j  and  top(gi)  =  top(gj).  These  are  the 
same  constraints  used  by  Ackernrann  for  removing  function  applications  from  a  formula  [1].  For 
subexpression  gt  of  the  form  f  (gh  +  Cjq , . . .  ,  gik  +  Cj)fe) ,  and  gj  of  the  form  f  (gjl  +  ch\,. . .  ,  gjk  +  cjik), 
we  include  the  constraint 

vu=vn  +  (cj,l  -  G,l)  A  '  '  '  A  vik=vJk  +  (°j,k  ~  °i,k)  =>  Vi  =  Vj  (10) 

This  constraint  is  included  in  either  C4  or  Cb  according  to  whether  f  £  A  or  f  £  B.  Similar 
constraints  are  generated  when  the  top-level  symbol  in  gi  and  gj  is  a  predicate  symbol  p. 

Let  <f>  be  the  formula  generated  by  replacing  each  atomic  expression  gi  in  <f>  with  the  symbol  Vj. 
We  always  replace  maximal  subexpressions,  so  that  the  resulting  formula  no  longer  contains  any 
symbols  from  cp. 

Let  quantifier  Qt  be  V  when  top(gi)  £  A.  and  3  when  toplg,)  £  B. 

The  soundness-preserving  translation  of  ip  is  given  by 


W) 


Q lVl  Q 2V2  •  •  •  QnVn 


(Cb  a  f>) 


(11) 


Theorem  2  For  any  formula  if  having  the  structure  if  =  VA  3B  (p,  if  Ts (ip),  as  given  by  (11),  is 
valid,  then  so  is  ip. 


Proof:  First,  we  use  Skolemization  to  transform  Ts(ip )  into  a  formula  where  the  existential  quan¬ 
tifiers  all  come  before  the  universal  ones  [10].  For  0  <  i  <  n,  define  m(i)  to  be  the  number 
of  universal  quantifiers  in  the  sequence  Q 1, . . .  ,Qi-  Letting  u  be  the  number  of  symbols  in  Va, 
we  have  m(n)  =  u.  Let  m~l(i )  be  the  position  of  the  zth  universal  quantifier.  (By  convention, 
m-1(0)  =  0).  For  any  i  such  that  Vj  £  Va,  we  have  m~l(m(i))  =  i.  For  any  i  such  that  v*  £  Ve,  we 
have  m^1(?n(i))  <  i. 

Let  yi, . . .  ,  Y„  be  a  set  of  integer  and  Boolean  symbols,  where  symbol  yt  has  the  same  type  as 
vm-1(*)‘  ^or  eacl1  *  such  that  Vj  £  Ve,  introduce  Skolem  function  symbol  (when  Vj  is  an  integer 
symbol)  or  predicate  symbol  (when  v*  is  a  Boolean  symbol)  f  j  having  arity  m(i). 

Generate  formulas  C^,  Cg,  and  <f>*  from  Cj 1,  Cb,  and  <p  by  replacing  each  symbol  Vj  by  ymu)  when 
Vj  £  Va  and  by  fj(yi,...  , ym({) )  when  Vj  £  Ve.  Then  the  Skolemized  form  of  ip,  which  we  call 
Tsk(ip),  is  defined  as 


Tsk(ip) 


3FVy 


(c*b  A<n 


(12) 


where  T  is  the  set  of  all  Skolem  function  and  predicate  symbols,  and  y  is  the  set  of  symbols 
{y  1 , . . .  ,  yu}.  Formula  Tsk(ip)  is  valid  iff  Ts(ip )  is  valid. 

With  this  transformation,  we  shift  the  problem  to  one  of  showing  that  if  Tsk(ip ),  given  by  (12), 
is  valid,  then  so  is  formula  ip  =  \/A  3B  (p  Assume  (12)  is  valid,  and  that  we  are  given  some 
interpretation  ct 4  of  the  symbols  in  A.  We  need  to  generate  an  interpretation  <7/3  of  the  symbols  in 
B,  such  that  {4>)0  ,a  =  true.  Let  ctjf  be  an  interpretation  of  the  Skolem  function  and  predicate 
symbols  in  IF  that  satisfies  (12).  We  construct  a  sequence  of  integer  and  Boolean  values  aT  = 
a\, . . .  ,an  as  follows: 


1.  For  Vj  £  Va,  when  subexpression  gi  is  of  the  form  x  (either  an  integer  or  Boolean  symbol),  we 
must  have  x  £  A.  Let  aj  =  cr_4(x).  When  g%  is  of  the  form  f  (g^  +  Cjq, ...  ,  gik+  c^k),  we  have 
f  £  A  (either  a  predicate  or  a  function  symbol).  Let  a*  =  cr_4(f)(aj1  +  Cjq, ...  ,  alk  +  Cj^.). 
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2.  Foi  Vj  £  Ve,  let  Oj  i)  (o-m-l  (1)  >  •  •  •  j  1  (m(i)) )  ■ 


Let  <7y  be  the  interpretation  of  the  symbols  in  T  where  cry(yj)  =  am-i^y  We  can  see  that  the 

sequence  ai, . . .  ,  an  consists  of  the  values  for  the  symbols  in  y  and  the  result  of  applying  the  Skolenr 

functions  to  these  values.  By  (12),  we  are  guaranteed  that  (  C*^  =>•  (Cg  A  <j)*)\  =  true. 

\  / 

Given  the  close  relation  between  formulas  C. 4  =>■  (Cb  A  </>)  and  =>■  (Cg  A  (/>*),  and  the  way 
we  generated  the  sequence  aL,  we  can  see  that  using  the  a „  as  the  values  for  the  symbols  W  will 
satisfy  our  constraint  formula.  That  is,  if  we  perform  the  substitution 


[Cb  A 


[On/vn] 


and  then  evaluate  this  formula,  the  result  will  equal  true. 

We  can  also  see  that  when  we  perform  the  substitution  Cjy  [aL/W],  the  resulting  expression  will 
evaluate  to  true,  since  we  generated  the  sequence  ai, ...  ,an  based  on  a  consistent  interpretation 
of  the  function  and  predicate  symbols  in  A.  From  this,  we  can  infer  that  the  expressions  Cb  [fln/vn] 
and  4>  [aT/W]  will  evaluate  to  true  as  well. 

Define  interpretation  a b  such  that  for  any  gj  of  the  form  x,  where  x  is  an  integer  or  Boolean  symbol 
in  B,  we  let  crg(x)  =  ai.  For  any  gl  of  the  form  f(gil  +  c^i, ...  ,gik  +  Cj tk),  where  f  is  a  function  or 
predicate  symbol  in  B,  let  cre(f)(ai1  +  cyi, ...  ,  alk  +  Cj^)  =  ai.  No  conflicts  can  arise  in  defining 
this  interpretation,  since  Cb  holds  when  the  symbols  W  are  assigned  the  values  ay.  Complete  the 
interpretation  of  f  by  defining  for  any  argument  values  x\, . . .  ,Xk  not  covered  already,  the  value  of 
as(i)(xi, . . .  ,Xk)  to  be  either  0  (when  f  is  a  function)  or  false  (when  f  is  a  predicate.) 

We  can  readily  see  that  under  the  interpretation  we  have  constructed,  we  will  have  ( g%! aA.aB  = 
for  1  <  i  <  n.  From  this,  we  can  infer  that  {(fr) aA.aB  =  true,  showing  that  \A4  3B  (j)  is  valid. 

2.  Preserving  Completeness.  To  generate  the  completeness  preserving  transformation,  let  n  be 
the  permutation  of  1, . . .  ,  n,  that  moves  all  of  the  universal  quantifiers  in  the  sequence  Q 1, . . .  ,  Qn 
to  the  left,  while  otherwise  preserving  the  relative  orderings  of  symbols.  That  is,  when  we  write 
the  sequence  Qn(  1), . . .  ,  Qn(n),  we  will  have  a  sequence  of  the  form  V“  3n~u ,  where  u  is  the  number 
of  universal  quantifiers.  In  addition,  for  i  and  j  with  i  <  j  and  Qi  =  Qj,  we  have  tt (i)  <  7 r(j). 

Divide  the  symbols  vT  into  two  sets:  those  that  are  universally  quantified  Va  =  {v^^, . . . 
and  those  that  are  existentially  quantified  Ve  =  {v7r(u+1), . . .  ,vT(n)}. 

We  generate  an  additional  set  of  quantified  antecedent  clauses  C\,  to  ensure  completeness  in  the 
presence  of  some  argument  consistency  constraints.  Suppose  for  i  <  j  that  subexpressions  gi  and 
9j  are  of  the  form  gt  =  f  (gh  +Ci,i, . . .  ,gik+cijk),  and  g3  =  f{gn  +c^i, . . .  ,gjk  +  cyfe),  where  f  £  A. 
Then,  for  this  pair  of  subexpressions  we  add  the  constraint 


V*  +  Vj  A  f\  v,;;  =  vj;  +  (Cj,  -  cit ) 

1  <l<k 

VjpVjjGV a  (13) 

yy  +  (cj;  —  cit) 

1  <l<k 


to  the  set  of  clauses  C\.  Note  that  the  quantifiers  in  the  consequent  of  this  constraint  take  precedent 
over  the  quantifiers  that  are  global  to  the  overall  formula. 
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We  can  now  write  the  completeness  preserving  translation  of  if  as 


Tc(if)  =  Vv7 


(i) 


'  '^'br(u)^V7r(u-|_i) 


3v, 


{n) 


(CA  A  Ct) 


(Cb  a  f>) 


(14) 


Theorem  3  For  any  formula  if  having  the  structure  if  =  \/A  3B  <f,  if  if  is  valid,  then  so  is  Tc(if), 
as  given  by  (14)- 

Proof:  Suppose  we  are  given  values  ,  a'n^  for  the  universally  quantified  symbols  v^^, . . .  ,  vn(u)  ■ 

Let  A  denote  the  set  of  all  assignments  7Tr 7  to  the  symbols  vq  such  that  an^)  =  ,  for  1  <  i  <  u. 

Then  we  must  find  a  vector  such  that  when  we  perform  the  substitution 

([cu  A  Ct]  [Cb  A  (fj'j  [a^T/vrT]  (15) 

the  resulting  formula  will  evaluate  to  true. 

Our  first  strategy  is  to  try  to  find  a  vector  that  violates  a  consistency  constraint  in  Ct  or  in 
CA.  This  requires  having  two  subexpressions  of  the  form  gt  A  f(gn  +  qq,...  , glk  +  qq)  and 
gj  =  f  (gj1  +  CjA, ...  ,  gjk  +  Cj_k),  where  a' /  a'-,  and  f  is  either  an  integer  or  Boolean  function  in  A. 

It  also  requires  that  ag  =  a]t  +  (q./  —  ctj)  for  all  1  <  l  <  k  such  that  vg,Vjt  £  Va- 

Given  that  these  conditions  hold,  then  we  can  show  that  one  of  the  two  types  of  antecedent  con¬ 
straints  will  be  violated.  If  there  is  some  €  A  such  that  ag  =  aJ(  +  (qy  —  cgi)  for  all  1  <  l  <  k, 
then  we  can  use  this  as  an  assignment  to  the  symbols  vq  that  violates  the  consistency  constraint 
(10)  in  CA.  If  no  such  aF  exists,  then  argument  constraint  (13)  in  Ct  will  be  violated.  In  either 
case,  the  antecedent  will  be  false,  and  hence  (15)  will  evaluate  to  true. 

Otherwise,  we  can  assume  that  for  every  pair  of  subexpressions  of  the  form  gt  =  f(gtl  -\ -cgi, ...  ,gtk  + 

Citk)  and  gj  =  f(gj1+CjA, . . .  ,  gJk  +Cj^),  where  f  is  a  Boolean  or  integer  function  in  A,  we  have  either 
of  =  a’3  or  there  is  some  argument  position  l,  with  v,( ,  Vj;  £  Va  and  ag  /  ajl  +  (cjj  —  q^).  We  can 
therefore  generate  an  interpretation  aA  of  all  of  the  symbols  in  A  such  that  for  every  subexpression 
g.i  =  f(gil  +  cgi , ...  ,gik  +  ci)k ),  where  f  £  A,  we  have  (f)^  (aq  +  q,i, ...  ,aife  +  cgk )  =  at  for  all 
an  £  A. 

More  precisely,  we  define  (f)  (x\, . . .  ,xk)  for  arbitrary  values  of  x±, ...  ,xk  by  considering  every 

subexpression  of  the  form  gt  =  +  q,i, ...  ,gtk  +  q,fc)-  If  for  some  such  subexpression,  we  have 

xi  =  ag  Peg  for  every  argument  position  l  such  that  vg  £  Va ,  then  we  define  (f )  (xi, . . .  ,  xk)  =  aq 
If  there  is  no  such  subexpression,  then  we  define  (f)CT  (xi, . . .  ,xk)  to  either  equal  false,  when  f  is 
a  Boolean  function,  or  0,  when  f  is  an  integer  function. 

To  complete  the  proof  of  Theorem  3,  if  we  assume  if  =  \A4  3B  <f  is  valid,  then  we  can  use  our 
interpretation  aA  as  an  assignment  of  values  to  the  symbols  in  A.  We  are  then  guaranteed  that 
there  is  some  assignment  of  values  to  the  symbols  in  B  such  that  <f  holds.  Use  this  assignment  to 
define  an  interpretation  eg.  Then  we  define  at  for  1  <  i  <  n  as  at  =  ( gt)rrA.CTB ■  We  can  see  that 
cq  £  A,  since  we  will  have  at  =  a!i  for  each  i  such  that  v,;  £  A.  Since  this  assignment  was  derived 
from  a  consistent  interpretation  of  the  symbols  in  <f,  all  of  the  constraints  in  Cb  will  be  satisfied 
for  this  assignment.  Formula  cf  will  also  evaluate  to  true  under  this  assignment,  since  it  is  derived 
from  an  interpretation  of  the  symbols  in  if  that  makes  it  evaluate  to  true.  From  this  we  can  infer 
that  (15)  will  evaluate  to  true. 

We  therefore  conclude  that  translation  Tc  preserves  completeness. 
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We  now  give  some  examples  to  demonstrate  the  capabilities  and  limitations  of  our  two  translation 
methods. 

Example  1:  Our  first  example  is  a  case  where  we  successfully  prove  soundness. 

Vf,y  [Vx  x  =  f (x)]  =►  y=f(f (y))  (16) 

To  get  this  into  the  required  form,  we  rewrite  it  as 

Vf ,  y  3x  h(x  =  f(x))Vy=f(f(y))] 

We  write  the  subexpressions  as  follows.  To  make  the  resulting  formulas  more  readable,  we  introduce 
symbols  with  names  based  on  the  subexpressions,  rather  than  the  more  generic  vi,  V2, . . .  ,  vra: 


Subexpression 

9i 

y 

92 

f(y) 

93 

f(f(y)) 

£4 

X 

95 

f(x) 

Symbol 

y 

fy 

ffy 

X 

fx 

For  C. 4  we  then  get 

(x  =  y  =►  fx  =  fy)  A  (x  =  fy  =►  fx=ffy)  A  (y  =  fy  =►  fy=ffy) 
For  formula  C&  we  get  true,  while  for  we  get 

1  (x — f x)  V  y  =  ffy 


and  the  overall  quantifier  structure  is: 


Vy  Vf  y  Vf  f  y  3x  Vfx 

To  see  that  the  QSL  formula  is  valid,  consider  a  game  played  between  opponents  Bob  and  Alice. 
Bob  has  control  over  the  universally  quantified  symbols  and  is  attempting  to  make  the  formula  to 
evaluate  to  false,  while  Alice  has  control  over  the  existentially  quantified  symbols  and  is  attempting 
to  make  the  formula  evaluate  to  true.  They  take  turns  instantiating  symbols  according  to  the 
quantifier  structure.  If  Alice  always  has  a  winning  strategy,  then  the  formula  is  valid. 

In  this  example,  Bob  must  give  values  for  y,  fy,  and  ffy.  He  must  choose  values  such  that  yy^f  fy  to 
avoid  satisfying  </>,  and  must  have  either  yy^fy  or  fy  =  ffy  to  avoid  falsifying  the  third  consistency 
constraint.  In  the  latter  case,  we  also  have  yy^fy. 

Alice  now  sets  x  =  y.  This  forces  Bob  to  set  fx  =  fy  to  avoid  falsifying  the  first  consistency  con¬ 
straint.  Combining  these  we  get  x  =  y  y^  fy  =  f x,  implying  that  (j)  is  satisfied.  Alice  has  a  winning 
strategy,  showing  that  the  quantified  formula  is  valid. 

Example  2:  Our  second  example  illustrates  a  case  where  the  formula  is  valid,  but  the  soundness¬ 
preserving  transformation  fails  to  show  this. 

Vf  [Vx  f(x)<f(x  +  1)]  =*>  [Vy  f(y)<f(y  +  2)]  (17) 

To  get  this  into  the  required  form,  we  rewrite  it  as 

Vf  Vy  3x  -i(f(x)  <f  (x+1))  V  f  (y)  < f  (y  +  2) 

We  write  the  subexpressions  as  follows. 


14 


Subexpression 

9i 

y 

92 

f(y) 

93 

f(y  +  2) 

94 

X 

95 

f(x) 

96 

f(x+l) 

Symbol 

y 

fy 

fy2 

X 

fx 

fxl 

For  C 4  we  then  get 

(x  =  y  =*>  fx  =  fy)  A  (x  =  y  —  1  =*>  f xl  =  f y)  A  (x  =  y  +  2  =*>  fx  =  fy2)  A  (x  =  y  +  1  =*>  fxl  =  fy2) 
For  formula  Cg  we  get  true,  while  for  we  get 

-i(fx<fxl)  V  fy<fy2 

and  the  overall  quantifier  structure  is: 

Vy  Vf  y  Vfy2  3x  Vf  x  Vf  xl 


This  formula  is  not  valid. 

This  example  shows  the  limited  capability  of  our  translation  Ts.  It  does  not  do  the  multiple 
instantiations  of  x  required  to  replace  the  quantified  antecedent  in  (17)  with  f(y)  <  f  (y  +  1)  A 

f(y  +  !)<f(y  +  2). 

The  completeness-preserving  translation  of  this  formula  is  identical,  except  that  it  yields  a  quantifier 
structure 


Vy  Vf  y  Vfy2  Vf  x  Vfxl  3x 
This  formula  can  be  shown  to  be  valid. 

In  this  case,  Bob  must  choose  values  for  all  of  his  symbols,  and  then  Alice  gets  to  pick  a  value  for 
x.  She  will  be  able  to  satisfy  the  antecedent  of  any  of  the  four  consistency  constraints,  so  Bob  must 
attempt  to  satisfy  all  of  the  consequents,  giving  fx  =  fy  =  fxl  =  fy2,  but  this  would  imply  that 
fx  -ft  fxl,  satisfying  (j).  We  conclude  that  Alice  can  always  win. 

Example  3:  Our  third  example  illustrates  a  case  where  the  completeness-preserving  transformation 
is  overly  optimistic. 


Vf  Vx  3y  f  (x,  y)  =  f  (y,  x  +  1) 


(18) 


This  formula  is  clearly  not  valid. 

We  write  the  subexpressions  as  follows. 


Subexpression 

9i 

92 

93 

54 

X 

y 

f(x,y) 

f(y,x+i) 

Symbol 

X 

y 

f  1 

f  2 

For  C 4  we  then  get 


x  =  yAy  =  x+l  fl  =  f2 

The  above  antecedent  is  unsatisfiable,  and  hence  C 4  reduces  to  true.  Similarly,  Cg  is  true.  For 
the  argument  constraints  we  get 

_l(f  1  =  f  2)  =*>  3y  (x  =  y  Ay  =  x+ 1) 
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Since  the  consequent  in  this  formula  is  unsatisfiable,  this  constraint  reduces  to  f  l  =  f2.  Formula  0 
is  also  fl  =  f2,  and  hence  the  translation  Tc  simply  yields 

Vf  1  Vf2  [f  1  =  f  2  f  1  =  f  2] 


which  reduces  to  true. 

This  example  shows  how  much  the  set  of  argument  constraints  weakens  the  precision  of  transla¬ 
tion  Tc  when  the  arguments  have  a  structure  where  any  possible  instantiation  of  the  existentially 
quantified  symbols  would  yield  conflicts. 

To  date,  we  have  been  unable  to  devise  an  example  that  illustrates  the  need  for  the  argument 
consistency  constraints  C f.  This  requires  a  formula  that  is  valid,  but  Tc  would  be  false  without  Ct 
in  the  antecedent. 


6  Results  &;  Discussion 

We  have  implemented  a  prototype  of  the  convergence  testing  framework  within  the  UCLID  [4] 
verification  tool.  Currently,  we  have  only  implemented  the  soundness-preserving  translation  to 
QSL.  For  deciding  the  resulting  QSL  formula,  we  used  Difference  Decision  Diagrams  [15]  and  a 
BDD-based  implementation  of  a  QSL  solver  that  translates  a  QSL  formula  to  a  quantified  Boolean 
formula  (QBF)  [16].  All  the  experiments  are  performed  on  a  2GHz  Pentium-4  running  Linux,  with 
1  GB  of  memory. 

In  this  section,  we  describe  our  experience  with  the  convergence  testing  framework  for  a  three- 
stage  arithmetic  pipeline  given  in  figure  3.  This  example  originated  with  the  first  work  on  symbolic 
model  checking  [6],  and  has  subsequently  become  a  standard  for  verification  research  [9,  13].  In 
our  version,  we  make  use  of  both  stalling  and  forwarding  to  resolve  read-after-write  hazards  in  the 
pipeline.  Previous  versions  used  only  forwarding,  with  the  result  that  a  new  result  is  written  to 
the  register  file  on  each  step  of  operation. 


Figure  3:  Pipelined  Version  of  ALU  Circuit.  The  three  stages  of  the  pipeline:  fetch,  execute 
and  write-back.  Read-after-write  hazards  are  resolved  for  the  first  operand  by  stalling  and  for  the 
second  by  forwarding.  The  dashed  lines  indicate  Boolean  control  and  the  solid  lines  represent  the 
flow  of  integer  values. 

The  state  elements  of  the  pipeline  include  a  function  state  variable,  an  unbounded  register  file  pRF. 
The  integer  state  elements  include  the  different  register  identifiers,  namely  eSRC2,  eDEST  and 
wDEST,  the  data  values  eARGl ,  eARG2  and  wVAL,  and  the  program  counter  pPC .  The  Boolean 
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state  elements  consist  of  the  write  enable  registers  eWRT  and  wWRT.  The  system  functionality  is 
parameterized  by  uninterpreted  function  symbols  for  decoding  an  instruction,  updating  the  program 
counter  and  the  ALU.  The  Boolean  state  elements  are  initialized  to  false  and  the  rest  of  the  state 
elements  take  on  arbitrary  initial  values. 

The  pipeline  was  symbolically  simulated  starting  from  the  initial  state.  The  QSL  formula  produced 
by  the  soundness  preserving  translation  was  false  after  k  =  1  and  k  =  2  steps  of  simulation.  A  look 
at  the  Boolean  state  elements  indicated  that  the  system  indeed  does  not  converge  within  two  steps. 
However,  after  k  =  3  steps  of  simulation,  the  QSL  formula  produced  was  too  large  to  be  solved 
with  a  BDD-based  implementation  of  our  QSL  solver  [16]  or  with  Difference  Decision  Diagrams  [15] . 
The  formula  had  53  quantified  integer  variables,  with  6  levels  of  quantifier  alternations,  836  nodes 
in  a  Directed  Acyclic  Graph  (DAG)  representation  of  the  formula,  and  the  BDD  representing  the 
QBF  formula  exceeds  1  GB  of  memory.  However,  we  have  been  able  to  prove  the  convergence  of 
two  simplified  versions  of  the  pipeline  processor. 

1.  For  the  first  case,  we  removed  the  data-path  components  of  the  processor  including  the 
register  file,  operand  values  and  the  write-back  value.  The  remaining  pipeline  still  contains 
the  entire  control  complexity  of  the  original  pipeline  including  the  stalling  and  the  forwarding 
mechanisms.  This  model  converges  after  k  =  3  steps  of  simulation  and  our  decision  procedure 
detects  so  within  2  seconds  with  less  than  11  MB  of  memory.  The  QSL  formula  contains  27 
quantified  integer  variables,  with  4  levels  of  quantifier  alternations  and  249  nodes  in  the  DAG 
form.  Notice  that  this  example  contains  uninterpreted  function  symbols  but  does  not  contain 
any  function  state  elements. 

2.  For  the  second  case,  we  combined  the  execute  and  the  write-back  stages  of  the  pipeline  into 
a  single  stage  (making  the  pipeline  2-stage),  but  retained  the  register  file  pRF  and  the  data¬ 
path.  The  pipeline  was  modified  to  accommodate  both  stalling  and  forwarding  of  data.  This 
example  converges  after  k  =  2  steps  of  simulation  and  our  decision  procedure  takes  8  seconds 
to  prove  it  valid.  The  memory  consumption  was  about  80  MB.  The  QSL  formula  contains 
29  quantified  integer  variables,  with  4  levels  of  quantifier  alternations  and  203  nodes  in  the 
DAG  form. 

We  are  currently  working  on  an  alternate  SAT-based  implementation  of  our  QSL  solver  and  hope 
to  test  the  convergence  of  the  pipeline  with  a  few  optimizations.  We  are  also  experimenting  with 
enumeration  based  QBF  solvers  including  Quaffle  [18].  The  BDD-based  implementation  might  also 
benefit  from  early  quantification  heuristics. 

Discussion.  The  notion  of  /c-convergence  is  not  useful  for  systems  with  unbounded  buffers,  since 
many  such  systems  do  not  converge.  Moreover,  our  preliminary  results  indicate  that  the  convergence 
criterion  we  present  is  precise,  but  computationally  difficult  to  check.  Abstraction  techniques,  such 
as  predicate  abstraction  [11],  allow  for  greater  efficiency  at  the  expense  of  using  an  approximate 
notion  of  convergence,  and  are  a  promising  area  for  future  work. 
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